Android: Why you should update
If you have a Samsung or HTC phone running Android, it might be worth
checking out this link.
If it returns a number ready for dialing -- as in the picture on the
left (below) -- you're okay. But if it returns the phone's IMEI number -- as in the
shot on the right -- it might be time to upgrade your phone's OS.
The reason is because of a recently discovered bug in some phone makers' implementations of the way that Android treats USSD numbers.
Unstructured Supplementary Service Data (USSD) numbers are used for numerous things, from shortcuts for retrieving voice messages to actually configuring the phone itself. Dial *#06## on a Samsung and you'll get back the device's unique International Mobile Equipment Identity (IMEI) number. This is useful stuff, and there's even an internet protocol (called tel:) that allows for so-called click-to-call links to be embedded in browsers. The problem arises because this particular bug automatically dials whatever USSD the phone is given.
As I said, USSDs can be used to configure the phone itself. Dialling one particular number -- in the case of Samsung's it's *2767*3855# -- will do a factory reset on the phone and wipe all your data -- contacts, address books, photos, the lot. Rather annoying, especially if you haven't done a backup lately. The potential is for a malicious website to incorporate that tel: code and wipe your phone the moment you visit.
The actual bug was fixed three months ago. Indeed, my Galaxy S3 (running Android version 4.0.4) returned the image on the left for the above test. But there are potentially many phones out there running earlier, buggy versions so it pays to check!
The reason is because of a recently discovered bug in some phone makers' implementations of the way that Android treats USSD numbers.
Unstructured Supplementary Service Data (USSD) numbers are used for numerous things, from shortcuts for retrieving voice messages to actually configuring the phone itself. Dial *#06## on a Samsung and you'll get back the device's unique International Mobile Equipment Identity (IMEI) number. This is useful stuff, and there's even an internet protocol (called tel:) that allows for so-called click-to-call links to be embedded in browsers. The problem arises because this particular bug automatically dials whatever USSD the phone is given.
As I said, USSDs can be used to configure the phone itself. Dialling one particular number -- in the case of Samsung's it's *2767*3855# -- will do a factory reset on the phone and wipe all your data -- contacts, address books, photos, the lot. Rather annoying, especially if you haven't done a backup lately. The potential is for a malicious website to incorporate that tel: code and wipe your phone the moment you visit.
The actual bug was fixed three months ago. Indeed, my Galaxy S3 (running Android version 4.0.4) returned the image on the left for the above test. But there are potentially many phones out there running earlier, buggy versions so it pays to check!
PC World is New Zealand’s top selling computing and technology magazine.
Comments
If your phone is vulnerable to this, you can use this app to block it: https://play.google.com/store/apps/details?id=org.mulliner.telstop
There are instructions on here: http://www.pcworld.idg.com.au/article/437505/how_check_your_android_phone_vulnerable_ussd_security_flaw/
Posted by: Frank | October 8, 2012 11:41 PM
Advice to update is always good, but only a very small percentage of Android devices receive updates via their carrier. There are still phones being sold using Android 2.2 that have no hope of being updated.
The carriers and manufacturers simply don't care enough. In an ideal world even your Galaxy SIII would've been running 4.1 months ago.
Posted by: Rick | October 1, 2012 6:04 PM
Linda: Go to Settings / About and tap Software Update.
Posted by: Geoff | October 1, 2012 9:19 AM
thanks for the info but how do I now go about upgrading the OS on my phone
Posted by: Linda | October 1, 2012 8:23 AM